b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nSpecial Report\n\n\n\n\n       Federal Information Security\n       Management Act\n\n       Fiscal Year 2005 Status of EPA\xe2\x80\x99s\n       Computer Security Program\n\n       Report No. 2006-S-00001\n\n\n       October 3, 2005\n\x0cReport Contributors: \t   Rudolph M. Brevard\n                         Charles Dade\n                         Cheryl Reid\n                         Neven Morcos\n                         Sejal Shah\n\x0c                     UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                  WASHINGTON, D.C. 20460\n\n\n\n\n                                                                               INSPECTOR GENERAL\n\n                                        October 3, 2005\n\n\nMEMORANDUM\n\nSUBJECT: \tFiscal Year 2005 Federal Information Security Management Act Report\n\nTO: \t        Stephen L. Johnson\n             Administrator\n\n\n        Attached is the Office of Inspector General\xe2\x80\x99s (OIG) completed Fiscal Year (FY) 2005\nFederal Information Security Management Act Reporting Template, as prescribed by the Office\nof Management and Budget (OMB). In addition, Appendix A synopsizes the results of our\nsignificant FY 2005 information security audits.\n\nIn accordance with OMB reporting instructions, I am forwarding this report to you for\nsubmission, along with the Agency\xe2\x80\x99s required information, to the Director, Office of\nManagement and Budget.\n\n\n\n                                       Nikki L. Tinsley\n\n\nAttachment\n\ncc:\nAssistant Administrator for Environmental Information and Chief Information Officer\nDirector, Office of Technology Operations and Planning\nSenior Agency Information Security Officer\nDirector, National Technology Services Division\nAssociate Director, Technical Information Security Staff\nOperations Security Manager, National Technology Services Division\nAudit Coordinator, Office of Environmental Information\nAudit Coordinator, Technical Information Security Staff\n\x0c                                                                        Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                    Agency Name: Environmental Protection Agency\n                                                                                       Question 1 and 2\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor\nof an agency or other organization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number\nof systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n                To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n                1) Continue to use NIST Special Publication 800-26, or,\n                2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n                Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency,\n                therefore, self reporting by contractors does not meet the requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient.\n                Agencies and service providers have a shared responsibility for FISMA compliance.\n\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems\nevaluated, identify the number of systems which have completed the following: have a current certification and accreditation, a contingency plan tested within the past year, and\nsecurity controls tested within the past year.\n                                                         Question 1                                                                   Question 2\n                                                a.                       b.                         c.                        a.                       b.                    c.\n                                          FY 05 Agency            FY 05 Contractor        FY 05 Total Number of      Number of systems       Number of systems      Number of systems\n                                             Systems                  Systems                    Systems                certified and         for which security  for which contingency\n                                                                                                                         accredited          controls have been      plans have been\n                                                                                                                                            tested and evaluated   tested in accordance\n                                                                                                                                                in the last year      with policy and\n                                                                                                                                                                         guidance\n\n\n                    FIPS 199 Risk       Total        Number         Total        Number         Total        Number         Total       Percent       Total       Percent       Total      Percent of\nBureau Name         Impact Level       Number       Reviewed       Number       Reviewed       Number       Reviewed       Number       of Total     Number       of Total     Number        Total\nOffice of\nAdministrator           High                  3              0            0              0             3              0            0        0.0%            0         0.0%            0          0.0%\n                        Moderate              0              0            0              0             0              0            0        0.0%            0         0.0%            0          0.0%\n                        Low                   0              0            0              0             0              0            0        0.0%            0         0.0%            0          0.0%\n\n                        Not\n                    Categorized               0              0            0              0             0              0            0        0.0%            0         0.0%            0          0.0%\n                    Sub-total                  3              0            0              0            3              0            0        0.0%            0         0.0%            0          0.0%\nOffice of Air and\nRadiation\n                                              2               1           0               0           2               1            0        0.0%            1      100.0%             1        100.0%\n                         Moderate            11               0           0               0          11               0                                     0        0.0%             0             0\n                                                                                                                                            0.0%\n                             Low              4              0            2              0             6              0            0                        0         0.0%            0          0.0%\n                              Not                                                                                                           0.0%\n                      Categorized            0               0            0              0            0               0            0                        0        0.0%             0          0.0%\n                        Sub-total            17               1            2              0          19               1            0        0.0%            1      100.0%             1        100.0%\n\n\n\n\nHigh\n\n\n\n                                                                                                       1\n\n\x0c                                              a.                      b.                         c.                       a.                       b.\n                                        FY 05 Agency           FY 05 Contractor        FY 05 Total Number of      Number of systems           Number of          Number of systems for\n                                          Systems                  Systems                    Systems               certified and         systems for which      which contingency\n                                                                                                                     accredited            security controls     plans have been tested\n                                                                                                                                           have been tested      c. accordance with\n                                                                                                                                                                 in\n                                                                                                                                           and evaluated in      policy and guidance\n                                                                                                                                             the last year\n                    FIPS 199 Risk     Total     Number         Total     Number         Total       Number         Total       Percent     Total      Percent       Total     Percent\nBureau Name         Impact Level     Number    Reviewed       Number    Reviewed       Number      Reviewed       Number       of Total   Number      of Total     Number     Of Total\nOffice of                                                                                                                                                                           0.0%\nAdministration\nand Resources\nManagement                  High          0            0           0              0           0               0         0         0.0%          0        0.0%            0\n                        Moderate           6            1           2             0           8               1         0         0.0%           1     100.0%            0          0.0%\n                             Low           3           0           0              0           3               0          0        0.0%          0        0.0%            0          0.0%\n                              Not\n                      Categorized         0            0           0              0           0               0            0      0.0%           0       0.0%             0         0.0%\n                        Sub-total          9            1           2              0         11               1            0      0.0%           1     100.0%             0         0.0%\nOffice of Chief                                                                                                                                                                     0.0%\nFinancial Officer          High            1           0           0              0           1               0         0         0.0%          0        0.0%            0\n                        Moderate          16            7          0              0          16               7         0         0.0%          0        0.0%            0          0.0%\n                            Low            1           0           0              0           1               0          0        0.0%          0        0.0%            0          0.0%\n\n                              Not\n                      Categorized         0            0           0              0           0               0            0      0.0%           0       0.0%             0         0.0%\n                        Sub-total         18            7           0              0         18               7            0      0.0%           0       0.0%             0         0.0%\nOffice of                                                                                                                                                                           0.0%\nEnforcement and\nCompliance\nAssurance                   High          0            0           0              0           0               0         0         0.0%          0        0.0%            0\n                        Moderate           8            1          0              0           8               1         0         0.0%           1     100.0%            0          0.0%\n                             Low           2           0           0              0           2               0          0        0.0%          0        0.0%            0          0.0%\n                              Not                                                                                                 0.0%                   0.0%                       0.0%\n                      Categorized         0            0           0              0           0               0            0                     0                        0\n                        Sub-total         10            1           0              0         10               1            0      0.0%           1     100.0%             0         0.0%\nOffice of\nEnvironmental\nInformation-\nCentral                       High        3            0           0              0           3               0         0         0.0%          0        0.0%            0          0.0%\n                        Moderate          6             1           1             0           7               1         0         0.0%           1     100.0%            0          0.0%\n                              Low         4            0           0              0           4               0          0        0.0%          0        0.0%            0          0.0%\n                               Not\n                      Categorized         0            0           0              0           0               0            0      0.0%          0        0.0%             0         0.0%\n                    Sub-total             13            1           1              0         14               1            0      0.0%           1     100.0%             0         0.0%\nOffice of\nEnvironmental\nInformation-\nNon-Central             High               0              0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                        Moderate          10              0        3               0         13               0            0      0.0%           0       0.0%             0         0.0%\n                        Low               8               0        3               0         11               0            0      0.0%           0       0.0%             0         0.0%\n                        Not\n                    Categorized                           0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                    Sub-total             18              0        6               0         24               0            0      0.0%           0       0.0%             0         0.0%\n\n\n\n\n                                                                                              2\n\n\x0c                                             a.                      b.                         c.                       a.                       b.            c.\n                                       FY 05 Agency           FY 05 Contractor        FY 05 Total Number of      Number of systems           Number of          Number of systems for\n                                         Systems                  Systems                    Systems               certified and         systems for which      which contingency\n                                                                                                                    accredited            security controls     plans have been tested\n                                                                                                                                          have been tested      in accordance with\n                                                                                                                                          and evaluated in      policy and guidance\n                                                                                                                                            the last year\n                    FIPS 199 Risk    Total     Number         Total     Number         Total       Number         Total       Percent     Total      Percent       Total     Percent\nBureau Name         Impact Level    Number    Reviewed       Number    Reviewed       Number      Reviewed       Number       of Total   Number      of Total     Number     Of Total\nOffice of General\nCounsel                 High             0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                        Moderate         1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                        Low                              0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                        Not\n                    Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n\n                    Sub-total             1              0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\nOffice of\nInternational\nActivities              High             0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                        Moderate         1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                        Low              0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                        Not\n                    Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n\n                    Sub-total             1              0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\nOffice of the\nInspector\nGeneral                 High             2               0        0               0          2               0            0      0.0%           0       0.0%             0         0.0%\n                        Moderate         3               0        0               0          3               0            0      0.0%           0       0.0%             0         0.0%\n                        Low              3               0        0               0          3               0            0      0.0%           0       0.0%             0         0.0%\n                        Not\n                    Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                    Sub-total            8               0        0               0          8               0            0      0.0%           0       0.0%             0         0.0%\nOffice of\nPrevention\nPesticides and\nToxic\nSubstances              High             0               0        0               0          0               0            0      0.0%           0       0.0%                       0.0%\n\n                        Moderate         6               0        0               0          6               0            0      0.0%           0       0.0%             0         0.0%\n                        Low              2               0        0               0          2               0            0      0.0%           0       0.0%             0         0.0%\n                        Not\n                    Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                    Sub-total            8               0        0               0          8               0            0      0.0%           0       0.0%             0         0.0%\nOffice of\nResearch and\nDevelopment             High             5               0        0               0          5               0            0      0.0%           0       0.0%             0         0.0%\n                        Moderate         6               0        0               0          6               0            0      0.0%           0       0.0%             0         0.0%\n                        Low              3               0        0               0          3               0            0      0.0%           0       0.0%             0         0.0%\n                        Not\n                    Categorized           0              0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                    Sub-total            14              0        0               0         14               0            0      0.0%           0       0.0%             0         0.0%\n\n\n\n\n                                                                                             3\n\n\x0c                                           a.                      b.                         c.                       a.                       b.            c.\n                                     FY 05 Agency           FY 05 Contractor        FY 05 Total Number of      Number of systems           Number of          Number of systems for\n                                       Systems                  Systems                    Systems               certified and         systems for which      which contingency\n                                                                                                                  accredited            security controls     plans have been tested\n                                                                                                                                        have been tested      in accordance with\n                                                                                                                                        and evaluated in      policy and guidance\n                                                                                                                                          the last year\n                  FIPS 199 Risk    Total     Number         Total     Number         Total       Number         Total       Percent     Total      Percent       Total     Percent\nBureau Name       Impact Level    Number    Reviewed       Number    Reviewed       Number      Reviewed       Number       of Total   Number      of Total     Number     Of Total\nOffice of Solid\nWaste and\nEmergency\nResponse              High             0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Moderate         6               1        0               0          6               1            0      0.0%           1     100.0%             0         0.0%\n                      Low              5                        1               0          6               0            0      0.0%           0       0.0%             0         0.0%\n                      Not\n                  Categorized           0              0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Sub-total        11              1        1               0         12               1            0      0.0%           1     100.0%             0         0.0%\nOffice of Water           High         0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Moderate         9               1        0               0          9               1            0      0.0%           1     100.0%             0         0.0%\n                           Low         1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                            Not\n                    Categorized        0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n\n                  Sub-total            10              1        0               0         10               1            0      0.0%           1       100%             0         0.0%\nRegion 1              High                             0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Moderate         1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                      Low                              0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Not\n                  Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                  Sub-total            1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\nRegion 2              High             0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Moderate          2              0        0               0          2               0            0      0.0%           0       0.0%             0         0.0%\n                      Low               0              0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Not\n                  Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                  Sub-total            2               0        0               0          2               0            0      0.0%           0       0.0%             0         0.0%\nRegion 3              High             0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Moderate         1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                      Low              0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Not\n                  Categorized          0               0        0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                  Sub-total            1               0        0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n\n\n\n\n                                                                                           4\n\n\x0c                                       a.                     b.                         c.                    a.                    b.           c.\n                                 FY 05 Agency          FY 05 Contractor        FY 05 Total Number of   Number of systems        Number of         Number of systems for\n                                   Systems                 Systems                    Systems            certified and      systems for which     which contingency\n                                                                                                          accredited         security controls    plans have been tested\n                                                                                                                             have been tested     in accordance with\n                                                                                                                             and evaluated in     policy and guidance\n                                                                                                                               the last year\n              FIPS 199 Risk    Total    Number         Total     Number         Total       Number      Total    Percent     Total     Percent       Total     Percent\nBureau Name   Impact Level    Number   Reviewed       Number    Reviewed       Number      Reviewed    Number    of Total   Number     of Total     Number     Of Total\n\nRegion 4          High             0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Moderate         1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\n                  Low              0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Not\n              Categorized          0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n              Sub-total            1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\nRegion 5          High             0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Moderate         2              0        0               0         2             0         0      0.0%           0       0.0%            0         0.0%\n                  Low              1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\n                  Not\n              Categorized          0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n              Sub-total            3              0        0               0         3             0         0      0.0%           0       0.0%            0         0.0%\nRegion 6              High         0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Moderate         1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\n                       Low         0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                        Not\n                Categorized        0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Sub-total        1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\nRegion 7          High             0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Moderate         1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\n                  Low              0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n                  Not\n              Categorized          0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n              Sub-total            1              0        0               0         1             0         0      0.0%           0       0.0%            0         0.0%\nRegion 8         High              0              0        0               0         0             0         0      0.0%                   0.0%                      0.0%\n                 Moderate          1              0        0               0         1             0         0      0.0%                   0.0%                      0.0%\n                 Low               1              0        0               0         1             0         0      0.0%                   0.0%                      0.0%\n                        Not\n                Categorized        0              0        0               0         0             0         0      0.0%           0       0.0%            0         0.0%\n\n\n\n\n                  Sub-total        2              0        0               0          2            0         0      0.0%           0       0.0%            0         0.0%\n\n\n\n\n                                                                                      5\n\n\x0c                                              a.                       b.                          c.                       a.                       b.            c.\n                                        FY 05 Agency            FY 05 Contractor         FY 05 Total Number of      Number of systems           Number of          Number of systems for\n                                          Systems                   Systems                     Systems               certified and         systems for which      which contingency\n                                                                                                                       accredited            security controls     plans have been tested\n                                                                                                                                             have been tested      in accordance with\n                                                                                                                                             and evaluated in      policy and guidance\n                                                                                                                                               the last year\n                  FIPS 199 Risk      Total       Number         Total      Number         Total       Number         Total       Percent     Total      Percent       Total     Percent\nBureau Name       Impact Level      Number      Reviewed       Number     Reviewed       Number      Reviewed       Number       of Total   Number      of Total     Number     Of Total\n\n\nRegion 9                    High           0               0         0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n\n                       Moderate            1               0         0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                            Low            0               0         0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                             Not\n                     Categorized           0               0         0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                       Sub-total           1               0         0               0          1               0            0      0.0%           0       0.0%             0         0.0%\nRegion 10                   High           0               0         0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                      Moderate             0               0         0               0          0               0            0      0.0%           0       0.0%             0         0.0%\n                            Low            1               0         0               0          1               0            0      0.0%           0       0.0%             0         0.0%\n                             Not\n                    Categorized            0             0           0               0         0             0               0      0.0%           0       0.0%             0         0.0%\n                      Sub-total            1             0           0               0         1             0               0      0.0%           0       0.0%             0         0.0%\n                  Sub-total              155            13          12               0       167            13               0      0.0%           6     100.0%             1        20.0%\nAgency Totals        High                 16             1           0               0        16             1               0      0.0%           1      16.7%             1        20.0%\n                     Moderate            100            12           6               0       106            12               0      0.0%           5      83.3%             0         0.0%\n                      Low                39             0           6             0         45              0             0       0.0%            0       0.0%            0         0.0%\n                      Not\n                  Categorized             0             0           0             0          0              0             0       0.0%            0       0.0%            0         0.0%\n                           Total        155            13          12             0        167             13             0       0.0%            6     100.0%            1        20.0%\nComments: Question 1- The OIG accepted the Agency's numbers as accurate without verification. Question 2 The universe of systems reviewed for 2.a through 2.c represents unique\nsubsets of the Agency's systems, based on individual reviews conducted by the OIG. The universes for: 2.a is 7; 2.b is 6; and 2.c is 5. Therefore, we calculated the respective column\npercentages by dividing the respective number by the universe for that column. 2.b we gave credit for system testing and evaluations if the security of the servers associated with the\nsystems were being monitored using vulnerability scanning software (such as ISS or Nessus) or configuration management software (such as Bindview or ESM).\n\n\n\n\n                                                                                                6\n\n\x0c                                                                                                   Question 3\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n            The agency performs oversight and evaluation to ensure information systems used \n\n            or operated by a contractor of the agency or other organization on behalf of the agency\n\n            meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy,\n\n            and agency policy. Self-reporting of NIST Special Publication 800-26 requirements by a \n\n            contractor or other organization is not sufficient, however, self-reporting by another Federal \n\n            agency may be sufficient. \n\n   3.a. \t                                                                                                         - Almost Always, for example, approximately 96-100% of the time\n            Response Categories:\n                     Rarely, for example, approximately 0-50% of the time\n                     Sometimes, for example, approximately 51-70% of the time\n            -        Frequently,  for example, approximately 71-80% of the time\n            -        Mostly, for example, approximately 81-95% of the time\n             -       Almost Always, for example, approximately 96-100% of the time \n\n            The\n            -    agency has developed an inventory of major information systems (including major national \n\n            security\n            -        systems) operated by or under the control of such agency, including an identification of \n\n            the interfaces between each such system and all other systems or networks, including those not \n\n            operated by or under the control of the agency. \n\n\n  3.b. \t    Response Categories:                                                                                  - Approximately 96-100% complete\n                  Approximately 0-50% complete\n                  Approximately 51-70% complete\n            -     Approximately 71-80% complete\n            -     Approximately 81-95% complete\n            -     Approximately 96-100% complete\n            -\n  3.c. \t    The\n            -   OIG generally agrees with the CIO on the number of agency owned systems.                          Yes\n\n\n            The OIG generally agrees with the CIO on the number of information systems\n  3.d.                                                                                                            Yes\n            used or operated by a contractor of the agency or other organization on behalf of the agency.\n\n\n  3.e.      The agency inventory is maintained and updated at least annually.                                     Yes\n\n   3.f.     The agency has completed system e-authentication risk assessments.                                    Yes\n\nComment: 3.c and 3.d - The OIG accepted the Agency's numbers as accurate without verification.\n\n\n\n\n                                                                                                     7\n\n\x0c                                                                                                      Question 4\n4\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented,\nand is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which\nthe following statements reflect the status in your agency by choosing from the responses provided in the drop\ndown menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n         Rarely, for example, approximately 0-50% of the time\n         Sometimes, for example, approximately 51-70% of the time\n-        Frequently, for example, approximately 71-80% of the time\n-        Mostly, for example, approximately 81-95% of the time\n  -      Almost Always, for example, approximately 96-100% of the time\n-\n-4.a.           The POA&M is an agency wide process, incorporating all known IT security weaknesses\n                associated with information systems used or operated by the agency or by a contractor of               Almost Always, for example, approximately 96-100% of the time\n                the agency or other organization on behalf of the agency.\n                                                                                                                   -\n4.b.            When an IT security weakness is identified, program officials (including CIOs,\n                if they own or operate a system) develop, implement, and manage POA&Ms for                             Almost Always, for example, approximately 96-100% of the time   .\n                their system(s)\n                                                                                                                   -\n4.c.             Program officials, including contractors, report to the CIO on a regular basis\n                                                                                                                       Almost Always, for example, approximately 96-100% of the time\n                 (at least quarterly) on their remediation progress.\n                                                                                                                   -\n4.d.            CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.           Almost Always, for example, approximately 96-100% of the time\n                                                                                                                   -\n4.e.             OIG findings are incorporated into the POA&M process.                                                 Almost Always, for example, approximately 96-100% of the time\n\n4.f. \t          POA&M process prioritizes IT security weaknesses to help ensure significant IT security  -\n                                                                                                               Almost Always, for example, approximately 96-100% of the time\n                weaknesses are addressed in a timely manner and receive appropriate resources\nComment: 4.a. Although we found that the Agency is putting POA&Ms in place for security weaknesses that they\n                                                                                                         -   are made aware of, they did not have adequate processes in place to\ndiscover security weaknesses that should have been easily identified.\n\n\n\n\n                                                                                                       8\n\n\x0c                                                                                          Question 5\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation\nprocess, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and\nAccreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This includes use of the FIPS 199\n(February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST\ndocuments used as guidance for completing risk assessments and security plans .\n\n\n\nAssess the overall quality of the Department's certification and accreditation process.\n\n                        Response Categories:\n                         Excellent\n                                                                                                                  - Good\n                         Good\n                         Satisfactory\n             -           Poor\n             -           Failing\n             -\n              -\nComments: This-is based on auditor opinion that EPA\xe2\x80\x99s overall rating for C&A existing policies are excellent (OMB response category), oversight and review processes are good\n(OMB response category), and Program Office execution (for our five selected systems) is poor (OMB response category).\n\n\n\n\n                                                                                                       9\n\n\x0c                                                                           Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                           Agency Name: Environmental Protection Agency\n\n\n                                                                          Question 6\n                         Is there an agency wide security configuration policy?\n            6.a.                                                                                                                                                          Yes\n                         Yes or No.\n                         Comments:\n                         Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n           6.b.          Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy\n                         on the systems running the software.\n                                                                                                     Approximate the extent of implementation of the security\n                                                                                                     configuration policy on the systems running the software.\n\n                                                                                                     Response choices include:\n                                                                                                     - Rarely, or, on approximately 0-50% of the\n                                                                                                       systems running this software\n                                                                                                     - Sometimes, or on approximately 51-70% of\n             Product\n                                                               Addressed in                            the systems running this software\n                                                               agencywide          Do any agency     - Frequently, or on approximately 71-80% of\n                                                                 policy?            systems run        the systems running this software\n                                                                                   this software?    - Mostly, or on approximately 81-95% of the\n                                                                                                       systems running this software\n                                                                  Yes, No,                           - Almost Always, or on approximately 96-100% of the systems\n                                                                   or N/A.           Yes or No.      running this software\n   Windows XP Professional                                          Yes                 Yes\n                                                                                                       - Almost Always, or on approximately 96-100% of the systems running\n   Windows NT\n                                                                     Yes                Yes          this software\n   Windows 2000 Professional\n                                                                     Yes                Yes\n                                                                                                       - Mostly, or on approximately 81-95% of the systems running this\n   Windows 2000 Server\n                                                                     Yes                Yes          software\n                                                                                                       - Almost Always, or on approximately 96-100% of the systems running\n   Windows 2003 Server\n                                                                     Yes                Yes          this software\n   Solaris\n                                                                     Yes                Yes\n   HP-UX\n                                                                    N/A                  No\n   Linux\n                                                                     Yes                Yes\n   Cisco Router IOS\n                                                                     Yes                Yes\n   Oracle                                                            Yes                Yes\n                                                                                                 - Mostly, or on approximately 81-95% of the systems running this\n   Other. Specify: Unix 5.1\n                                                                   Yes              Yes        software\nComments: We reviewed a small subset of server configuration settings on a total of 4 servers (1 for each of 4 of the product\xe2\x80\x99s configuration settings we commented\non above). We had the following results: Windows 2000 Server, we reviewed 17 out of 134 settings included in the SCD and found 15 complied. For Windows 2003\nServer, we reviewed 17 out of 183 settings included in the SCD and found 17 complied. For Windows NT, we reviewed 10 out of 101 settings included in the SCD and\nfound 10 complied. For Unix 5.1, we reviewed 7 out of 89 settings included in the SCD and found 6 complied.\n\n\n\n\n                                                                                       10\n\n\x0c                                                                                  Question 7\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n         The agency follows documented policies and procedures for identifying and reporting incidents internally.\n7.a. \t                                                                                                                                                        Yes\n         Yes or No.\n       The agency follows documented policies and procedures for external reporting to law enforcement authorities.\n7.b. \t                                                                                                                                                        Yes\n       Yes or No.\n       The agency follows defined procedures for reporting to the United States Computer Emergency Readiness Team (US-CERT).\n7.c. \t http://www.us-cert.gov                                                                                                                                 Yes\n       Yes or No.\nComments:\n\n                                                                                      Question 8\n         Has the agency ensured security training and awareness of all employees, including contractors and those employees with significant\n         IT security responsibilities?\n\n         Response Choices include: \n                                                                                                                   Mostly, or\n                                                                                                                                                   -\n         - Rarely, or, approximately 0-50% of employees have sufficient training \n                                                                 approximately 81-95% of\n 8\n         - Sometimes, or approximately 51-70% of employees have sufficient training                                                                employees have sufficient\n         - Frequently, or approximately 71-80% of employees have sufficient training                                                               training\n         - Mostly, or approximately 81-95% of employees have sufficient training\n         - Almost Always, or approximately 96-100% of employees have sufficient training\n\nComment:\n\n                                                                                        Question 9\n\n         Does the agency explain policies regarding peer-to-peer file sharing in IT security awareness training, ethics training, or any other \n\n 9       agency wide training? \n                                                                                                                              Yes\n         Yes or No.\n\n\n\n\n\n                                                                                             11\n\n\x0c12 \n\n\x0c                                                                                  Appendix A\n\n                Summary of Significant Fiscal 2005 \n\n                    Security Control Audits \n\n\nDuring Fiscal 2005, EPA\xe2\x80\x99s Office of Inspector General (OIG) conducted several audits of EPA\xe2\x80\x99s\ninformation technology security program and information systems. The following summary\nsynopsizes key findings and recommendations. Copies of all final reports are located on the\nOIG\xe2\x80\x99s Internet site at http://www.epa.gov/oig/publications.htm.\n\n1. Audit of EPA\xe2\x80\x99s Fiscal 2004 and 2003 Financial Statements, Report No. 2005-1-00021,\nNovember 15, 2004\n\nThe requirement for audited financial statements was enacted to help bring about improvements\nin agencies\xe2\x80\x99 financial management practices, systems, and controls so that timely and reliable\ninformation is available for managing Federal programs. In conjunction with this audit, we\nreported Reportable Conditions related to system development, and certification and\naccreditation, of EPA\xe2\x80\x99s Grant Payment Allocation System (GPAS) and Inter-Governmental\nDocument Online Tracking System (IDOTS). In addition, we continued to report that we are\nunable to assess the application processing controls surrounding the Integrated Financial\nManagement System (IFMS) \xe2\x80\x93 EPA\xe2\x80\x99s core financial system. Specifically, we reported:\n\n       \xe2\x80\xa2\t The Office of Chief Financial Officer (OCFO) developed and implemented the GPAS\n          and IDOTS accounting systems without assessing the risks these systems pose to\n          Agency assets, personnel, and operations. In addition, EPA did not produce key\n          security documents for these systems, nor ensure management controls were\n          operating effectively by assessing and testing security controls for the GPAS and\n          IDOTS. We made several recommendations to OCFO\xe2\x80\x99s Director, Office of Financial\n          Services to improve the GPAS and IDOTS\xe2\x80\x99 security. These included: (1) conducting\n          a formal risk assessment; (2) conducting a review of GPAS\xe2\x80\x99 compliance with all\n          applicable Joint Financial Management Improvement Program system requirements;\n          and (3) directing offices to follow Agency system development policy. We also,\n          recommended that the Director: (1) complete and document a formal certification and\n          accreditation; (2) update the systems\xe2\x80\x99 certification and accreditation status in the\n          Agency\xe2\x80\x99s self-assessment database; (3) develop and implement a formal patch\n          management process; and (4) implement a formal process to conduct vulnerability\n          scanning and control testing on a regular basis.\n\n       \xe2\x80\xa2\t We continue to be unable to assess the adequacy of the automated application control\n          structure as it relates to automated input, processing, and output controls for IFMS.\n          Since IFMS has a direct and material impact on the Agency\xe2\x80\x99s financial statements,\n          assessing each application is necessary to determine the reliance we can place on the\n          financial statements. During past financial statement audits, we attempted to evaluate\n          controls without systems documentation, but these alternatives proved to be\n\n\n                                              13 \n\n\x0c           inefficient and impractical. OCFO has no plans to update the IFMS system\n           documentation until it implements the new financial replacement software package,\n           currently projected for Fiscal 2008. Until the new system is in place, we cannot\n           assess the adequacy of the automated internal control structure.\n\n2. Security Configuration and Monitoring of EPA\xe2\x80\x99s Remote Access Methods Need\nImprovement, Report No. 2005-P-00011, March 22, 2005 W\nFound\nOur audit of various EPA remote access methodologies determined that system administrators\ndid not configure Web-Mail and BlackBerry servers to provide secure remote access to the\nAgency\xe2\x80\x99s network. We found that the system administrators did not configure or update\n59 percent of the Web-Mail and BlackBerry servers to mitigate vulnerabilities. We also found\nseveral of the Agency\xe2\x80\x99s BlackBerry devices were not adequately configured, secured, or\nmonitored. We found deficiencies in security configuration settings and physical security of\nBlackBerry devices.\n\nWe made several recommendations to EPA\xe2\x80\x99s Director, Office of Technology Operations and\nPlanning. These included establishing and requiring all remote access systems to have security\nmonitoring and network vulnerability scanning; developing standards that define authorized open\nports and services for the Web-Mail and BlackBerry servers\xe2\x80\x99 Operating System; and conducting\na risk assessment and establishing a process to consistently configure devices. The Agency\ngenerally agreed with the recommendations and indicated corrective actions that, when\nimplemented, would address the recommendations.\n\n3. PeoplePlus Security Controls Need Improvement, Report No. 2005-P-00019, July 28,\n2005\n\nOur review identified three significant issues in the security administration of PeoplePlus.\nFirst, the Agency had not followed prescribed procedures for managing user access privileges,\nmonitoring changes in employee responsibilities, and processing system access requests.\nSecond, EPA did not verify or conduct the required National Agency Check with Inquiries and\nCredit background screenings for 45 percent (10 of 22) of contractor personnel with PeoplePlus\naccess. Third, EPA implemented PeoplePlus without adequately implementing security controls\nfor two key processes. Specifically, the Office of Chief Financial Officer had not properly\nsecured default user IDs and did not adequately separate incompatible duties performed by the\nSecurity Administrator.\n\nWe recommended the Directors of EPA\xe2\x80\x99s Office of Financial Services and Office of Human\nResources take 13 actions to improve PeoplePlus security controls. These recommendations\naddress areas where EPA could improve user access management and contractor background\nscreening procedures. These recommendations include: (1) reinforcing the requirements to\nfollow prescribed policies and procedures; (2) providing a training program to increase\nawareness and ability to perform security duties; (3) evaluating the need for system development\ncontractors to have access to the production environment; and (4) establishing a milestone date to\ncomplete contractor background screening. We recommended that EPA evaluate all default user\nIDs to secure them, and assign Security Administrators\xe2\x80\x99 responsibilities in a manner that\n\n\n\n                                               14 \n\n\x0cprovides adequate separation of incompatible duties. EPA concurred with all of our\nrecommendations and provided a plan of action to address concerns.\n\n4. Agency Information Systems Security Controls Audit, Planned Final Report Date is\nOctober 2005\n\nOur objectives were to provide an independent evaluation of the information security program\nand practices of the Agency. This included selecting a sample of EPA\xe2\x80\x99s information systems\nand: (1) evaluating certification and accreditation to determine Agency compliance with Federal\nguidance; (2) determining whether security control costs are integrated into the life cycle of the\nsystem; (3) determining whether security controls have been tested and evaluated in the last year;\n(4) reviewing contingency plans and the testing of plans; (5) reviewing compliance with system\nstandard configuration documents; and (6) conducting and analyzing results of technical\nvulnerability scans. We began this audit in February 2005 and plan to issue the final report in\nOctober 2005.\n\n5. Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-\nFinancial Systems Located at the Research Triangle Park Campus, Planned Final Report\nDate is November 2005\n\nThe OIG hired a contractor to access physical assess controls and service continuity/contingency\nfor financial and mixed-financial applications located at its Research Triangle Park Campus in\nNorth Carolina. The audit\xe2\x80\x99s objectives were to: (1) gather the inventory of financial and mixed\nfinancial applications hosted at the Research Triangle Park facility to guide their review;\n(2) evaluate physical security controls in accordance with relevant Federal and EPA criteria and\nbest practices; and (3) evaluate service continuity/contingency controls in accordance with\nrelevant Federal and EPA criteria and best practices. The contractor began this audit in\nFebruary 2005 and plans to issue its final report in November 2005.\n\n\n\n\n                                               15 \n\n\x0c"